Balbooa Forms unauthenticated file-upload RCE
The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.
- Vendor
- Balbooa
- Product
- Forms (Joomla extension, com_baforms)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-56291 is an unauthenticated arbitrary-file-upload flaw in Balbooa Forms, the com_baforms extension for Joomla. Per NVD, the flaw permits uploading a file “with a dangerous type” — in practice, a PHP file — which the web server then executes when requested, yielding remote code execution as the Joomla process. No authentication is required. CWE-434.
Advisory context
CISA added CVE-2026-56291 to the Known Exploited Vulnerabilities catalog on 2026-07-10, alongside CVE-2026-48939 in iCagenda — a second Joomla extension with the same file-upload-to-RCE shape. Federal due date on both is 2026-07-13.
Discovery and coordinated disclosure came from Phil E. Taylor at mySites.guru, who reports affected versions through 2.4.0 and the fix in 2.4.1. This is the third Joomla-extension add to KEV in four days after the 2026-07-07 additions of Joomlack Page Builder and JoomShaper SP Page Builder.
What to do
Verify whether com_baforms is installed via the Joomla admin’s Extensions Manager or a SELECT * FROM #__extensions WHERE element='com_baforms' query. If present, upgrade Balbooa Forms to 2.4.1 immediately. If the site has been publicly reachable with a vulnerable install, audit images/, template upload directories, and any writable path for unexpected .php or .phtml files, and treat any find as an incident.
Priority guidance and the broader Joomla-extension audit angle are in the article writeup. Canonical NVD record: CVE-2026-56291.